Announcing the guide for claims based identity and access control

Today, we’ve put the first beta drop of the book ‘Guide for Claims based identity and access control’ online. You can find the beta of the guide at Codeplex. Over the next couple of weeks, we’ll keep placing new releases online, so keep looking.

So what are these ‘Claims’ and why create a whole guide about them? Simple, it will help you overcome the current password hell

Password Hell

It’s true.. almost website you go to wants to know who visits their site.

This is not just a problem for regular internet users, but it’s a massive problem for organizations. A typical organization will have a lot of applications, both internal for it’s own employees and external for customers. Now of course, there are authentication solutions for each scenario: Windows integrated authentication, Forms based authentication, smart cards, and many more solutions. Each with it’s particular advantages and disadvantages.

With each solution, you get an island of identities. An active directory here, a database with users there. Then a couple more when the organization merges or starts to cooperate with other organizations. And each user store has to be managed when new users are introduced, roles change or when people leave the organization. With typically many identity stores in an organization, this can easily become a management nightmare.

Claims based identity and access control

The goal of claims based identity and access control is, to abstract the authentication logic from applications and and let somebody we trust handle that. We do it all the time.

A passport is a typical ‘real world’ example of a claim.

Passports without claims

For some countries, you need a visa to enter. That means going to the embassy and request a visa to enter that country. If you can provide sufficient reason to want to enter that country, you’ll receive your visa within several weeks. If you loose your visa, you can replace it. It will just take you several weeks again.

Sound familiar? That’s how a typical website works nowadays. You can sign up and get a password. Sometimes you can get a password automatically, but sometimes it has to be created manually. And if you loose it, you’ll have to request a new one.

Passport as a claim

Fortunately, to most countries, you can travel without a visa. That’s because those countries trust each other to a certain degree. If you come with a certified valid document (your passport), and the country you are trying to enter trusts your country, then they will typically let you in. And since the passports are protected with all kinds of forgery protection tricks, it’s very hard to create a fake passport.

This looks like claims bases authentication. A trusted party can issue claims (a passport) and your application can decide if you trust claims from that trusted party or not. Because the claims are digitally signed, it’s nearly impossible to tamper with them. One example of this is single sign-on, such as with OpenID or a Live-ID.

Claims based authentication

Claims based authentication is not new. It’s been around for many years. But with the introduction of open standards and Microsoft technologies like Geneva it becomes a lot easier to implement.

Goal of the guide

Authentication touches a lot of people within your organization. Architects, developers, IT-pros, security experts. Each contribute a piece to the whole authentication story. The goal of the guide is, to make claims based authentication and access control understandable for everybody.

So how are we doing that? A clear, scenario based approach with lot’s of samples.

Yes, now YOU can also take advantage of claims based authentication

As always, we’re open to feedback. Let us know what you think and make a difference!